

Department of Homeland Security 

Office of Inspector General 



Information Technology Management Letter 

for the FY 2008 
Customs and Border Protection 
Financial Statement Audit 
(Redacted) 




Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public 
release. A review under the Freedom of Information Act will be conducted upon request. 



OIG-09-59 



April 2009 



Office of Inspector General 



U.S. Department of Homeland Security 

Washington, DC 25028 




I Homeland 
P Security 



April 16, 2009 



Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the 
Inspector General Act of 1978. This is one of a series of audit, inspection, and special reports 
prepared as part of our oversight responsibilities to promote economy, efficiency, and 
effectiveness within the department. 

This report presents the information technology (IT) management letter for the FY 2008 
Customs and Border Protection (CBP) balance statement audit as of September 30, 2008. It 
contains observations and recommendations related to information technology internal control 
that were not required to be reported in the financial statement audit report (OIG-09-09, 
November 2008) and represents the separate restricted distribution report mentioned in that 
report. The independent accounting firm KPMG LLP (KPMG) performed the audit of CBP's 
FY 2008 financial statements and prepared this IT management letter. KPMG is responsible 
for the attached IT management letter dated December 4, 2008, and the conclusions expressed 
in it. We do not express opinions on CBP's financial statements or internal control or make 
conclusions on compliance with laws and regulations. 

The recommendations herein have been developed to the best knowledge available to our 
office, and have been discussed in draft with those responsible for implementation. We trust 
this report will result in more effective, efficient, and economical operations. We express our 
appreciation to all of those who contributed to the preparation of this report. 




Richard L. Skinner 
Inspector General 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



December 4, 2008 
Inspector General 

U.S. Department of Homeland Security 
Commissioner 

U.S. Customs and Border Protection 

Chief Information Officer 

U.S. Customs and Border Protection 

We have audited the consolidated balance sheets of the U.S. Department of Homeland Security's 
(DHS) Customs and Border Protection (CBP) as of September 30, 2008 and 2007, and related 
consolidated statements of net cost, changes in net position, custodial activity and the combined 
statement of budgetary resources (hereinafter, referred to as "consolidated financial statements") for 
the years then ended. In planning and performing our audit of CBP's consolidated financial 
statements, we considered CBP's internal control over financial reporting in order to determine our 
auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. 

In connection with our fiscal year 2008 audit, we considered CBP's internal control over financial 
reporting by obtaining an understanding of CBP's internal controls, determining whether internal 
controls had been placed in operation, assessing control risk, and performing tests of controls in order 
to determine our procedures. We limited our internal control testing to those controls necessary to 
achieve the objectives described in Government Auditing Standards and OMB Bulletin No. 07-04, 
Audit Requirements for Federal Financial Statements. We did not test all internal controls relevant to 
operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982 
(FMFIA). The objective of our engagement was not to provide an opinion on the effectiveness of 
CBP's internal control over financial reporting. Accordingly, we do not express an opinion on the 
effectiveness of CBP's internal control over financial reporting. 

A control deficiency exists when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, to prevent or detect 
misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of 
control deficiencies, that adversely affects CBP's ability to initiate, authorize, record, process, or 
report financial data reliably in accordance with U.S. generally-accepted accounting principles such 
that there is more than a remote likelihood that a misstatement of CBP's financial statements that is 
more than inconsequential will not be prevented or detected by CBP's internal control over financial 
reporting. A material weakness is a significant deficiency, or combination of significant deficiencies, 
that results in more than a remote likelihood that a material misstatement of the financial statements 
will not be prevented or detected by CBP's internal controls. 



KPMG LLP, a U S limited liability partnership, is the U S 
member firm of KPMG International, a Swiss cooperative 



We noted certain matters involving internal control and other operational matters with respect to 
information technology that are summarized in the Information Technology Management Letter 
starting on page 1. These comments contribute to the significant deficiency presented in our 
Independent Auditors' Report, dated November 15, 2008, and represent the separate restricted 
distribution report mentioned in that report. 

The comments described herein have been discussed with the appropriate members of management 
through a Notice of Finding and Recommendation (NFR); and are intended For Official Use Only. 
We aim to use our knowledge of CBP's organization gained during our audit engagement to make 
comments and suggestions that we hope will be useful to you. We have not considered internal control 
since the date of our Independent Auditors ' Report. 

The Table of Contents on the next page identifies each section of the letter. In addition, we have 
provided: a description of key financial systems and information technology infrastructure within the 
scope of the FY 2008 CBP financial statement audit is provided in Appendix A, a description of each 
internal control finding is provided in Appendix B, and the current status of the prior year NFRs is 
presented in Appendix C. 

This report is intended for the information and use of DHS and CBP management, the DHS Office of 
Inspector General, the U.S. Office of Management and Budget, the U.S. Congress, and the 
Government Accountability Office, and is not intended to be and should not be used by anyone other 
than these specified parties. 

Very truly yours, 



K^P^G LLP 



U.S. Customs and Border Protection 



Information Technology Management Letter 
September 30, 2008 
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OBJECTIVE, SCOPE AND APPROACH 

We have audited the consolidated balance sheets of the U.S. Department of Homeland Security's 
(DHS) Customs and Border Protection (CBP) as of September 30, 2008 and 2007, and related 
consolidated statements of net cost, changes in net position, custodial activity and the combined 
statement of budgetary resources (hereinafter, referred to as "consolidated financial statements") for 
the years then ended. The overall objective of our audit was to evaluate the effectiveness of IT general 
controls of CBP's financial processing environment and related IT infrastructure as necessary to 
support the audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the 
Government Accountability Office, formed the basis of our audit. The scope of the IT general 
controls assessment included testing at CBP's Office of Information Technology (OIT) and other 
offices related to the IT general controls portion of the financial statement audit. 

FISCAM was designed to inform financial auditors about IT controls and related audit concerns to 
assist them in planning their audit work and to integrate the work of auditors with other aspects of the 
financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent 
of review that generally should be performed when evaluating general controls and the IT environment 
of a federal agency. FISCAM defines the following six control functions to be essential to the 
effective operation of the general IT controls environment. 

• Entity-wide security program planning and management (EWS) - Controls that provide a 
framework and continuing cycle of activity for managing risk, developing security policies, 
assigning responsibilities, and monitoring the adequacy of computer-related security controls. 

• Access control (AC) - Controls that limit and/or monitor access to computer resources (data, 
programs, equipment, and facilities) to protect against unauthorized modification, loss, and 
disclosure. 

• Application software development and change control (ASDCC) - Controls that help to prevent the 
implementation of unauthorized programs or modifications to existing programs. 

• System software (SS) Controls - Controls that limit and monitor access to powerful programs that 
operate computer hardware and secure applications supported by the system. 

• Segregation of duties (SD) - Controls that constitute policies, procedures, and an organizational 
structure to prevent one individual from controlling key aspects of computer-related operations, 
thus deterring unauthorized actions or access to assets or records. 

• Service continuity (SC) - Controls that involve procedures for continuing critical operations 
without interruption, or with prompt resumption, when unexpected events occur. 

To complement our general IT controls audit, we also performed technical security testing for key 
network and system devices, as well as testing of key financial application controls. The technical 
security testing was performed from within select CBP facilities, and focused on test, development, 
and production devices that directly support CBP financial processing and key general support 
systems. 
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In addition to testing CBP's general control environment, we performed application control tests on a 
limited number of CBP financial systems and applications. The application control testing was 
performed to assess the controls that support the financial systems' internal controls over the input, 
processing, and output of financial data and transactions. 

• Application Controls (APC) - Application controls are the structure, policies, and 

procedures that apply to separate, individual application systems, such as accounts payable, 
inventory, payroll, grants, or loans. 
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SUMMARY OF FINDINGS AND RECOMMENDATIONS 

Financial IT systems security is essential to achieving effective, reliable reporting of financial and 
performance data. As a part of our engagement to perform the financial statement audit, we performed 
an evaluation of the general controls over significant CBP financial IT systems. Effective general 
controls are typically defined by the GAO's FISCAM, in six key control areas: entity-wide security 
program planning and management, access control, application software development and change 
control, system software, segregation of duties, and service continuity. In addition to general controls, 
financial systems contain application controls, which are the structure, policies, and procedures that 
apply to use, operability, interface, edit and monitoring controls of an application. We tested various 
application controls of key CBP financial systems as part of our IT audit test work. 

During fiscal year (FY) 2008, CBP took corrective action to address prior year IT control weaknesses. 
For example, CBP made improvements in how they track the hiring, termination and systems access 
of contracted employees within the Office of Information Technology (OIT). Also, issues with the 
tracking of backup tapes and their location were addressed, as well as issues surrounding the 
management review of control overrides performed in the 

However, during FY 2008, we continued to identify IT general control weaknesses at CBP. The most 
significant weaknesses, from a financial statement audit perspective, related to controls over access to 
programs and data. Collectively, the IT control weaknesses limited CBP's ability to ensure that 
critical financial and operational data were maintained in such a manner to ensure confidentiality, 
integrity, and availability. In addition, these weaknesses negatively impacted the internal controls 
over CBP financial reporting and its operation and we consider them to collectively represent a 
significant deficiency for CBP under standards established by the American Institute of Certified 
Public Accountants (AICPA). The information technology findings were combined into one 
significant deficiency regarding Information Technology for the FY 2008 audit of the CBP 
consolidated financial statements. 

Although we noted improvement, many of the conditions identified at CBP in FY 2007 have not been 
corrected because CBP still faces challenges related to the merging of numerous IT functions, 
controls, processes, and organizational resource shortages. During FY 2008, CBP took steps to 
address these conditions. Despite these improvements, CBP needs further emphasis on the monitoring 
and enforcement of access controls. CBP needs to further emphasize the importance of developing 
and implementing well-documented procedures at the system and entity-level. Many of the issues 
identified during our review, which were also identified during FY 2007 and prior, can be addressed 
through a more consistent application of DHS and CBP policies for IT controls. 

While the recommendations made by KPMG should be considered by CBP, it is the ultimate 
responsibility of CBP management to determine the most appropriate method(s) for addressing the 
weaknesses identified based on their system capabilities and available resources. 
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IT GENERAL CONTROL FINDINGS BY AREA 

Conditions: In FY 2008, the following IT and financial system control weaknesses were identified at 
CBP. Many of the issues identified during our FY 2008 engagement were also identified during FY 
2007. The following IT and financial system control weaknesses result in IT being reported as 
contributing to a significant deficiency for financial system security. 

1 . Access controls - we noted: 

• Some active connections to do not have documented interconnection security agreements 
(ISA) in place; 

• CBP does not maintain a centralized listing of contract personnel, including employment 
status. Currently, CBP only maintains contractor information for OIT contractors. While this 
is a majority of CBP contractors, it does not include all CBP contractors. Additionally, as a 
result of additional test work, we noted data validity issues in the ; 

• CBP workstation policy for screensavers is not appropriately implemented. Specifically we 
noted that the configuration of a password-protected Screensaver can be modified by the user, 
allowing that user to remove the password requirement and also disabling the Screensaver 
completely; 

• The following issues in regard to for the 

o A solution has been implemented to track and monitor security and audit related 
activity but has not been operational for the entire fiscal year; 

o There is a configuration weakness for capturing security and audit related activity 
in the Protection application. The configuration has 

changed on multiple occurrences in regards to tracking activity for the ' to 
'field in FY 2008; and 

o There is no defined method to generate and review security audit logs for security 
violations. 

• CBP implemented a script to disable accounts after thirty days of inactivity. However, the 
script was not functioning appropriately for most of the fiscal year and was only remedied 
during the third quarter of FY 2008; 

• A total of 10 mainframe audit logs were not available for the following dates: November 12, 
2007, February 22, 2008, and March 7, 2008. For November 12, 2007, logs were not available 
for , and . For February 
22, 2008, logs were not available for the and . For March 7, 2008, 
logs were not available for , and . It was further noted 
that all mainframe audit and system utility logs that went digital after April 1, 2008 were 
available for review; 

• has been adjusted to limit active temporary and/or emergency access to 24 hours after the 
request. It was noted, however, that the emergency table is still in use. Further, administrator 
or supervisory approval is not required each time temporary or emergency access is activated. 
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Also, Information System Security Manager (ISSM) approval is not required, conflicting with 
DHS policy; 

• There are currently no procedures in place for the completion of semi-annual recertifications of 
the accounts. KPMG also notes that a recertification of the accounts is 
not performed on a semi-annual basis; 

• When changes to a user's access are performed in the log of these events is not regularly 
reviewed by personnel independent from those individuals that initiated the changes. It was 
further noted that logs from March 2008 through July 2008 have not been reviewed by the 

Information System Security Officer (ISSO) or an independent reviewer; 

• Out of 25 dates selected for review, six security violation report reviews were not 
available; 

• Authorizations are not being maintained for personnel that have administrator access to the 

access control program. Additionally, it was noted in FY 2008 that 
access requests for new mainframe are requested and 

approved verbally; 

• Access request forms were not available for review for three accounts created by the 

administrators during FY 2008; 

• CBP-241 Employee Separation Forms are not completed consistently, with employee and/or 
supervisor signature missing from 7 of the 25 separated employees selected; 

• Formal procedures do not exist for the security violation log review process. It was 
further noted that informal procedures are used by the network security specialist to inspect the 
security violation log for suspicious activity and to document the review; 

• Formal procedures do not exist for the review process of audit and 

. It was further noted that informal procedures are used by the ISSOs to 

inspect logs for suspicious and unusual activity and to document the review; 

• The special characters requirement under password complexity was not appropriately 
configured for 

• Access authorizations for emergency and temporary access to 

are not approved by the ISSM, as required by DHS policy; 

• A Customs Directive was provided as separation procedures for contractors and this directive 
was dated September 2001. The directive references Treasury policies as source 
documentation. This directive is out of date, as CBP is no longer a part of the Department of 
Treasury. Additionally, CBP-242 contractor separation forms are not completed consistently 
for separating CBP contractors. Specifically, it was noted that all forms for selected separated 
contractors were completed; however, 6 of the selected 25 separated contractors' forms were 
completed at least one month after the individual separated from CBP; 

• Non-disclosure agreements (NDAs) are not consistently mandated for CBP contractors; 
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• The parameters for the audit and ( 

) are not configured to collect 
appropriate data. KPMG further noted that three out of the six 

do not produce any data in the log; 

• CBP does not currently require individuals to sign a rules of behavior prior to gaining access to 
CBP information systems; 

• The following weaknesses were identified for the Security Audit Logs procedures: 

o Procedures do not define how often the security audit logs are reviewed, 
o Procedures do not describe the documented evidence of review process, 

Security Violation Log Report, which is created by the ISSO/Independent 

Reviewer. 

o Procedures do not define the sampling methodology that is used to select 
daily security logs. 

o Procedures were not effective for all of FY 2008 (October 1, 2007 - September 
30, 2008); 

• The initial password granted to new accounts is not in compliance with DHS 
requirements; 

• CBP does not have a method of tracking completion of security awareness training for CBP 
employees and contractors. Individuals from the program team responsible for security 
awareness training do not have the ability to identify those individuals who have not 
completed security awareness training and, therefore, can not ensure all CBP personnel have 
completed this training; 

• The Security Administrators Handbook is out of date and has inaccurate statements of 
CBP and DHS policies. Specifically, the following weaknesses were identified: 

o Out-of-date references to US Customs Service, 

o References to out-of-date Customs (now CBP) policies and procedures (1400- 
05a), 

o Requirement that initial passwords are set to a weak password string, 
o Statement that does not allow special characters in passwords; 

• The following weaknesses were identified in access control procedures: 

o A periodic (at least semi-annual) recertification of all portal accounts is not 
performed, 

o Formal procedures are not documented for the creation of portal accounts, 
o is not configured to disable accounts after 45 days of inactivity on the 

system; and 

• Two accounts that were created during FY 2008 did not have appropriate access 
authorization forms maintained by the administrators. It was further noted 
that multiple administrators on the had accounts created by other groups than the 

Support Team. 
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2. Application software development and change controls - no condition noted. 



3 . Service continuity - we noted: 



• is not installed on all workstations for the majority of the fiscal year as 
required. Specifically, it was noted that as of 3/31/2008, 4,751 workstations out of 50,282 
workstations do not have installed; 

• That a complete and up-to-date listing of all CBP workstations is not maintained; 



• the system used to enforce virus protection policies, was not 

installed on all CBP workstations on . It was noted that as of 8/1 1/2008, 

0.25% of all workstations on did not appear on the listing. In addition to 

this, a conclusion could not be obtained on whether all CBP workstations have antivirus 
protection, as those workstations that are not on are not communicating with 



• The most recent business continuity planning (BCP) testing was incomplete. Specifically, it 
was noted that not all systems were brought online as required since sufficient hardware was 
unavailable at the recovery facility to fully and properly perform the continuity testing; and 

• Documented hardware maintenance procedures do not exist for the environment 
supporting 



4. Entity- wide security program planning and management - no conditions noted. 



5. System software - we noted during our technical testing: 

• Configuration management exceptions were identified on 

and hosts supporting the and applications; and 

• Patch management exceptions were identified on hosts supporting the and the 

applications. 



6. Segregation of duties - no conditions noted. 



Recommendations: We recommend that the CBP Office of Chief Information Officer (OCIO), in 
coordination with the Office of the Chief Financial Officer (OCFO), make the following 
improvements to the CBP financial management systems: 

1 . For access controls: 

• Review and maintain a listing of active connections with the and account for each 

connection with a documented interconnection security agreement (ISA); 
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• Work on the to ensure that all CBP contractors are included in the 
database and that the data for each contractor is complete and accurate; 

• Determine a method for appropriately applying CBP and DHS policy requiring automatically- 
activated, password-protected screensavers after a period of inactivity; 

• Properly capture appropriate audit log data per DHS policy. KPMG further recommends that a 
method for generating and reviewing security audit logs be developed for the 

according to CBP and DHS policy, to detect potential security events; 

• Regularly run the updated script on the system to disable user accounts after the DHS- 
specified period of inactivity; 

• Maintain audit and per DHS policy; 

• Develop and implement procedures that will appropriately restrict the use of emergency or 
temporary access within and that requires documented supervisory approval from the 
ISSM confirming this access is needed. In addition, CBP should perform regular 
recertifications of the emergency access table to ensure persons with the capability to request 
temporary or emergency access need to remain on the emergency access table; 

• Develop formal procedures for recertifying accounts and access to shared data and 
perform regular recertifications of accounts and access to shared data as required 
by developed procedures; 

• Implement the review of security audit logs on a periodic basis by an independent 
reviewer and formalize these procedures in detail for the review of security audit logs; 

• Follow DHS policy and maintain documented evidence of review for security 
violation logs for the duration outlined in DHS policy; 

• Develop and implement procedures to restrict access to mainframe administrative capabilities 
and require documented authorization requests and approval for each person requiring access 
to the administrative capabilities; 

• Continue to develop a method for tracking and consolidating access request forms for the 

and continue to implement the procedures developed to control account creation; 

• Require managers to consistently complete the CBP-241 forms that are required as set forth in 
CBP directives and policy; 

• Create formal procedures to document the security violation log review process; 

• Create formal procedures to document the review process for audit and 

? 

• Follow DHS policy and improve password complexity by including special characters for the 

application; 
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• Adjust CBP-level and -level policies to require the ISSM to approve the emergency and 
temporary access authorizations prior to access being granted. Require documented 
supervisory approval from the ISSM each time a user requires emergency access abilities; 

• Review contractor separation directives, document an up-to-date review of this document and 
make modifications as needed based on the new operating environment for CBP as part of the 
Department of Homeland Security. Require the consistent and accurate completion of the 
CBP-242 forms for all separating contractors; 

• Enforce DHS' requirement that a non-disclosure agreement be signed by all contractors in a 
moderate and high risk level position to ensure that they are aware of their responsibilities in 
protecting the confidentiality of DHS and CBP data; 

• Properly configure audit and to capture appropriate data for the 

and that CBP maintain audit and per 

DHS policy; 

• Require all employees and contractors sign rules of behavior prior to being granted any system 
access. Additionally, for personnel that already have systems access, CBP should prioritize 
having these individuals sign rules of behavior to maintain their systems access; 

• Create detailed procedures that document the review process for security audit logs that 
includes the documented evidence of review; 

• Update the Security Administrator Handbook to require a strong password that is in 
compliance with DHS and CBP password policies to be set as the initial password for all new 

accounts; 

• Develop a method for determining individuals who have and have not completed security 
awareness so that they can actively work towards 100% compliance with the DHS requirement 
that all individuals with systems access complete annual security awareness training; 

• Perform a full review of the Security Administrators Handbook and updates be made to 
the document to reflect the current operating environment. This review should be fully 
documented and the Handbook should be updated to include a change log as evidence of the 
updates made; 

• Document and implement policies and procedures for access control; and 

• Limit the organization that can create accounts and administrator accounts and require 
any accounts created to be created by a single organization. 

2. No findings or recommendations were noted for application software development and change 
control. 



3. For service continuity: 
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• Implement procedures to regularly review and monitor the workstations that have 

installed and perform inquiries to determine why identified workstations do not have 
installed; 

• Work with administrators across the country to ensure that new and existing workstations are 
added to a CBP domain to appropriately account for all workstations; 

• Develop procedures to regularly review and monitor the workstations that have antivirus 
protection installed and perform inquiries to determine why identified workstations do not 
have the protection installed and updated; 

• Work to allocate the appropriate hardware at to allow for the system availability to 
fully test the business continuity plan to ensure that has the capability to support CBP 
in the event that the is rendered unavailable for production; and 

• Document hardware maintenance procedures to ensure a consistent application of 
maintenance methodologies for the environment. 

4. No findings or recommendations were noted for entity-wide security program planning and 
management. 

5. For system software: 

• Immediately address configuration management exceptions that were identified during 
technical testing on ) and hosts supporting the 
and applications; and 

• Immediately address patch management exceptions that were identified during technical 
testing on hosts supporting the and the and applications. 

6. No findings or recommendations were noted for segregation of duties. 



Cause/Effect: Due to the increased allocation of resources to the development and 
implementation project, organizational realignments, and staff turnover, resources were not 
consistently available throughout the year to address all prior year issues noted above. While CBP 
addressed a significant number of prior year issues, several remain unresolved. Some issues from the 
prior year have already been addressed; however, the findings were reissued as these findings were not 
resolved for the entire fiscal year, which is within the scope of the audit. Additionally, several 
weaknesses were noted as a result of changes in DHS policy since FY 2007 that had not been 
incorporated into CBP policy and implementation. By not addressing the conditions noted above, the 
possibility exists for CBP that these risks will be exploited, in either a singular fashion or in 
combination which might affect the availability, confidentiality or integrity of CBP's financial data. 
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Criteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic 
Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with 
OMB and NIST guidance. OMB Circular No. A- 130, Management of Federal Information Resources, 
and various NIST guidelines describe specific essential criteria for maintaining effective general IT 
controls. In addition, OMB Circular No. A- 127 prescribes policies and standards for executive 
departments and agencies to follow in developing, operating, evaluating, and reporting on financial 
management systems. In closing, for this year's IT audit, we assessed CBP's compliance with DHS 4300A 
Sensitive Systems Handbook. Additionally, we assessed CBP's implementation of CBP policy, the 
Information Systems Security Policies and Procedures Handbook, version 1.3. 
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APPLICATION CONTROL FINDINGS 

During FY 2007, KPMG noted that weaknesses over the processing of drawback claims exist within 
the system. Specifically, did not support the tracking of drawback items to the line item 
level. Rather, only tracked drawbacks on a summary level. This control weakness was 

identified in FYs 2003, 2004, 2005, and 2006. This control weakness was presented to CBP 
management by the KPMG financial statement team as a significant control weakness and also noted 
by the KPMG IT team. 

Also, due to the design of , certain controls could be overridden without supervisory approval. 
For example, when a CBP entry specialist attempts to liquidate an import entry in , the system 
displays a warning message, indicating that a drawback claim had been filed against the import entry. 
However, entry specialists could override the warning message without supervisory review and 
process a refund without investigating pending drawback claims. The purpose of this warning 
message is to ensure that both a refund and drawback are not paid on the same goods. Entry 
specialists could override system edits designed to detect refunds exceeding the total duty, tax, and 
fees paid on an import entry. did not generate override reports for supervisory review. 

In FY 2008, KPMG noted that CBP OIT had developed a report in which displays all control 
overrides performed at a particular port within . KPMG determined that the report appropriately 
accounts for all overrides in order to address the condition identified in previous fiscal years and 
identified above. Due to the pervasiveness of this application control weakness, the mitigating 
control only partially alleviates the control weakness through implementing this report review process. 
Therefore, this issue remains a material weakness specific to drawbacks when combined with the 
resulting financial audit test work. This material weakness for drawbacks is reported in our 
Independent Auditors' Report, dated November 15, 2008. 
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MANAGEMENT COMMENTS AND OIG RESPONSE 

We obtained written comments on a draft of this report from the CBP CIO. Generally, CBP 
management agreed with all of our findings and recommendations and they have developed a 
remediation plan to address these findings and recommendations. We have incorporated these 
comments where appropriate an included a copy of the comments in Appendix D. We have corrected 
the risk rating assigned to the notice of findings and recommendation within this report. The risk 
rating now corresponds with the risk rating presented in the FY 2008 Consolidated Information 
Technology Management Letter. 

OIG Response 

We agree with the steps that CBP's management is taking to satisfy these recommendations. 



13 

Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit 



Appendix A 

FOR OFFICIAL USE ONLY 
U.S. Customs and Border Protection 

Information Technology Management Letter 
September 30, 2008 



APPENDIX A 

DESCRIPTION OF KEY FINANCIAL SYSTEMS AND IT 
INFRASTRUCTURE WITHIN THE SCOPE OF THE FY 2008 CBP 
FINANCIAL STATEMENT AUDIT 
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Appendix A 

U.S. Customs and Border Protection 

Information Technology Management Letter 
September 30, 2008 



DESCRIPTION OF FINANCIAL SYSTEMS AND IT INFRASTRUCTURE 



Below is a description of significant CBP financial management systems and supporting IT 
infrastructure included in the scope of CBP's FY 2008 Financial Statement Audit. 



Locations of Review: The in 

The in 
The in 
The Port of 
The Port of 



Systems Subject to Review: 

• - is CBP's financial management 

system that consists of a 'core' system, which supports primary financial accounting and reporting 
processes, and a number of additional subsystems for specific operational and administrative 
management functions. is a client/server-based financial management system that was 

implemented beginning in FY 2004 using a phased approach that replaced the 
based financial system. 



• - is a collection of business process mainframe-based 
systems used by CBP to track, control, and process all commercial goods, conveyances and private 
aircraft entering the U.S. territory for the purpose of collecting import duties, fees, and taxes owed 
to the Federal government. Key application software within includes systems for data 
input/output, entry and entry summary, and collection of revenue. 

• - is the commercial trade processing system 
being developed by CBP to facilitate trade while strengthening border security. is being 
deployed in phases, with a final full deployment scheduled for FY 2012. As is partially 
implemented now and processes a significant amount of revenue for CBP, was included in a 
limited scope in the FY 2008 financial statement audit. 



• - Used for tracking seized assets, Customs 

Forfeiture Fund, and fines and penalties. The resulting financial information interfaces with CBPs 
financial management system. 
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APPENDIX B 

FY 2008 NOTICES OF IT FINDINGS AND RECOMMENDATIONS 
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Appendix B 

U.S. Customs and Border Protection 

Information Technology Management Letter 
September 30, 2008 

Notice of Findings and Recommendation - Definition of Risk Ratings: 

The Notice of Findings and Recommendations (NFR) are ranked with a risk rating of High, Medium, 
and Low based upon the potential impact that each weakness could have on CBP's information 
technology (IT) general control environment and the integrity of the financial data residing on the 
CBP's financial systems, and the pervasiveness of the weakness. The risk ratings are intended only to 
assist management in prioritizing corrective actions, considering the potential benefit of the corrective 
action to strengthen the IT general control environment and/or the integrity of the CBP financial 
statements. Correction of some higher risk findings may help mitigate the severity of lower risk 
findings, and possibly function as a compensating control. In addition, analysis was conducted 
collectively on all NFRs to assess connections between individual NFRs, which when joined together 
could lead to a control weakness occurring with more likelihood and/or higher impact potential. The 
risk ratings, used in this context, are not defined by Government Auditing Standards, issued by the 
Comptroller General of the United States, or the American Institute of Certified Public Accountants 
(AICPA) Professional Standards, and do not necessarily correlate to a significant deficiency, as 
defined by the AICPA Standards and reported in our Independent Auditors ' Report on the CBP's 
financial statements, dated December 4, 2008. 

High Risk : A control weakness that is more serious in nature affecting a broader range of financial IT 
systems, or having a more significant impact on the IT general control environment and /or the 
integrity of the financial statements as a whole. 

Medium Risk : A control weakness that is less severe in nature, but in conjunction with other IT 
general control weaknesses identified, may have a significant impact on the IT general control 
environment and / or the integrity of the financial statements as a whole. 

Low Risk : A control weakness minimal in impact to the IT general control environment and / or the 
integrity of the financial statements. 

The risk ratings included in this report are intended solely to assist management in prioritizing its 
corrective actions. 
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NFR No. 


Description 


Disposition 




Closed 


Repeat 


CRP-TT-07-01 


Override of warning in Drawback 


X 




function without supervisory approval 




CBP-IT-07-02 


Interconnection Security 
Agreements (ISAs) 




CBP-IT-08-02 


CBP-IT-07-03 


Contractor Tracking Deficiencies 




CBP-IT-08-03 




Labeling of Backup Media 


X 




CBP-IT-07-05 


Password Configurations 


X 




CBP-IT-07-06 


Session Disconnects and Locking 


X 




1 -U /-U / 


• 

Version Control for Source Code 


X 














Audit Logs 




CBP-IT-08-08 










CBP-IT-07-09 


Disabling of Inactive Accounts on 




CBP-IT-08-09 


CBP-IT-07-10 


Physical Access Recertification 


X 












CBP-IT-07-11 






CBP-IT-08-46 


















CBP-IT-07-12 


Install 




CBP-IT-08-12 










CBP-IT-07-13 


Complete List of CBP Workstations 




CBP-IT-08-13 


CBP-IT-07-14 


Backup Tape Withdrawal Logging 


X 




CBP-IT-07-15 


Inactive Accounts 


X 




CBP-IT-07-16 


Excessive Emergency Access 




CBP-IT-08-16 


CBP-IT-07-17 


Review of 


X 




CBP-IT-07-18 


Recertification of Accounts 




CBP-IT-08-18 


CBP-IT-07-19 


Security Awareness Training 


X 




CBP-IT-07-20 


Access Controls 


X 




CBP-IT-07-21 


Review of Changes to Security Profiles 
in 




CBP-IT-08-21 


CBP-IT-07-22 


OIT Documentation Not Formally 
Approved 


X 
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NFR No. 


Description 


Disposition 




Closed 


Repeat 


CBP-IT-07-23 


Emergency Change Executive 
Approvals for 


X 




CBP-IT-07-24 


Re-recertiflcation Process 


X 




CBP-IT-07-25 


No formal designation of ISSO for 


X 




CBP-IT-07-26 


Review of Security 
Violation Logs 




CBP-IT-08-26 


CBP-IT-07-27 


Administrator Access 
Authorization Weaknesses 




CBP-IT-08-27 


CBP-IT-07-28 


Access Policies and 

Procedures 




CBP-IT-08-28 


CBP-IT-07-29 


Completion of CF-241 Forms for 
Terminated Employees 




CBP-IT-08-29 


CBP-IT-07-30 


Removal of Terminated Employees 
from 


X 




CBP-IT-07-31 


High Risk Combinations 


X 




CBP-IT-07-32 


Change Documentation 


X 




CBP-IT-07-33 


Change Documentation 


X 




CBP-IT-07-34 


Installation of Anti- Virus Protection 




CBP-IT-08-34 


CBP-IT-07-35 


Configuration Management 




CBP-IT-08-35 


CBP-IT-07-36 


Patch Management 




CBP-IT-08-36 



FY 2007 Issued NFRs 


FY2007 Closed NFRs 


FY2007 Reissued NFRs 


36 


19 


17 
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MANAGEMENT RESPONSE TO DRAFT U.S. CUSTOMS AND 

BORDER PROTECTION 

IT MANAGEMENT LETTER 
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IIS, D^jjurl JiiKii I uf TTujiip-Lanri Pe<:uriry 




U.S. Customs Aitd 
Border Protection 



Assistant Inspee-tCT dc-nt^rifl 
nifonna-.ion TccknoJ-u-^ Aftijjji 



MIOM: 



CbajJcs Armstrong / Ufffi 
Assistant L'ommissic^ji/^ 
( >d"il ce o I ' J n Ibrrnati o(i and ! ethnology 




Ik.Hl'i An:lii R^pdH - rTnljShnilipa Tectorial a^y Management Letter 
ffiir thg WvSfcZ) Y&kf i2 n*r>R T ".S. Cu^l^ms iind l^tcrtier FifjleulUjE! 
Financial Statement Audit 



Tills, ts in fepJy to your memorandum dated Jrehruary I3 r 2009, requesting written comments on 
the driill lepMt lljiJ itHiJuuses Us Jit; leusirtriieiiddtiuiiH Lhaljue included in tttc subject 
TnlbrmtiLion Technoldgy (IT) MaTi^enfleiil letter. The U.S. CuSWtfrtft and Barder E^jdlecuon 
('('BP) C"J CTl-uc (irinlbrmtititjn und Technology (01T) would like Loprmide the Jul |owfn$ 
corrirnenk on Hie reniediu I ion ucUotis lliul jare hein^ jierl'ii lined li.hr I he finding and 
TL^iiniiriCTiLlHljiiin 1 ; [rorrJ Ihv Fisesjl YfHT ("FY) audi I 

f ienerai Onjimeiifs 

We note Thar last ycai the tnana^emen: letter was add le ased to the Commissioner of Ck31 3 , 

J n addressing this year's letter di needy tr> Oil 1 01 T it was incorjectJy address to die L Actinp." 
Assistant E'ounnis&ii trier. 

Con-eemin^ Lite ri.^k level Unsigned to several of the fiTvdrnyk ilim: mtl l d i fli:njTit:es tfcslJMsn I ri is: 
draJland Llie da-j.ll ftClhe t:<m*olida]ed FY 2i"H>R Heparin- en I iH'Hnmdand Se^uriiy Dmfl IT 
Manu^«npTiL T.eiicr whig.li wg reviewed tasl week. Wc request elanfkafiort on which risk k-ve.ls 
art assessed [isf each finding. 

Access Controls 

f:RP L-iiTKMiTT^d with K^M<j # 5 fixommendations hi thHarea. AM lecoitimeiidaLioris concern ina 
I lie have been unpleanemed. In addition, the nicitrrmendntaVm dealing with IT 

ScCTJltey Awareness try nine, ha- heen mrnpleled. Ruiklin^ on I he 

tli£ issues dealing with CO iilraL'jiir access have also heen ^klr-^sed, The work on *ome is-^Ufii 
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dealing wirh. acc^s and with tlic is 

still id progress. C'efjeeuve. Action Plans (CAE's) have been itilpkmeilied for the Notices of 
I'i ridings and ReuiiTimeriduLiiuns iM'Rsj ami ibeir MLaluf. 1?. pjflvided [a die aLtacbmeLit. 

.Service (".finrinuity 

CBP coneinTcc with KPMG n ? ■ TreuLiimtudiitions inlhiSflrcn. Thi? ^^mriarsilttffyri uni^crmi^ 
maintenance of c hc cnvimnmen[ has been KHiipJctcc. I lie EC^craftnieffld^rtioHJ concerning a 
com pJeLe colli ll o I wo rfcsiirt ions, . and eJ 'ol icy Ouchestr ator wet e 

closely rekucd and LnLerdepe-idenL. Thtsv are scheduled Us be usrnpleied aL the -end dI"] ebrumv. 

In rc^aM to business cftnttiiujtv- plftimiliji. ilie equipment is expected lo lie in place hv JuK 
of tills year, 

SvtLcm S« fiwarv 

Clll 1 'LiHiLurrcd vviLh I KPMCi reuomni i-.tr-x: nii r>n ^ in ibis Rftftf; GABs have been i mp]cmcnTcd for 
Lhe M ; Rs and Lhcir sliiiu.-s is provided itl The Attached dociKHCDT. 

ApplieaTion Control 

As noted by dtc auditors. CEJf 5 OI'J' developed a report in h» wruiunl lor wll dr^wbtie-k 
i n^rrid^ . ' I "Ki& enpa bility JiiUS been pno i ded La users as a mi Li ^uLi i m pending i he fnl ijttl 1 
replacement of 

IbLitydbLir Nl-'Rs were issued CBP OTT ddrinj? the b Y ZLll>H audit (15 were reissues of J ■" V 
2<K>7 findings urui 18 were. new), To dnTc. 14 have been completed and a^ail i-k^ure. ptridmL; 
KPMG review. C APs are in pfbjglffesfe for the remaining recommendations arid [heir MiiLu.s is 
pro vide J in trie ulludiocl. 

M'vuu >i(ive. tiny qucStifliB concerning [his response, please umim:l Ms. .Tikly Wrighi, (jfficc of 
ltLtbrrr.ii.liun and Teuhmki^y Audit Liaison, at 2tH£4l-;5$< 

Attach men I 
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